GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → yarox24 → Attack_monitor

yarox24 / Attack_monitor

Licence: gpl-3.0
Endpoint detection & Malware analysis software

Programming Languages

python
139335 projects - #7 most used programming language

Labels

security-toolsmalware-analysissysmon

Projects that are alternatives of or similar to Attack monitor

Shed
.NET runtime inspector
Stars: ✭ 229 (+23.12%)
Mutual labels:  security-tools, malware-analysis
Rebel Framework
Advanced and easy to use penetration testing framework 💣🔎
Stars: ✭ 183 (-1.61%)
Mutual labels:  security-tools, malware-analysis
Replica
Ghidra Analysis Enhancer 🐉
Stars: ✭ 194 (+4.3%)
Mutual labels:  security-tools, malware-analysis
Polichombr
Collaborative malware analysis framework
Stars: ✭ 307 (+65.05%)
Mutual labels:  security-tools, malware-analysis
Sentinel Attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Stars: ✭ 676 (+263.44%)
Mutual labels:  security-tools, sysmon
Sojobo
A binary analysis framework
Stars: ✭ 116 (-37.63%)
Mutual labels:  security-tools, malware-analysis
Sysmon Modular
A repository of sysmon configuration modules
Stars: ✭ 1,229 (+560.75%)
Mutual labels:  security-tools, sysmon
Intelowl
Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
Stars: ✭ 2,114 (+1036.56%)
Mutual labels:  security-tools, malware-analysis
Rastrea2r
Collecting & Hunting for IOCs with gusto and style
Stars: ✭ 169 (-9.14%)
Mutual labels:  security-tools
Lisa
Sandbox for automated Linux malware analysis.
Stars: ✭ 177 (-4.84%)
Mutual labels:  malware-analysis
Dirsearch
A Go implementation of dirsearch.
Stars: ✭ 164 (-11.83%)
Mutual labels:  security-tools
Zigdiggity
A ZigBee hacking toolkit by Bishop Fox
Stars: ✭ 169 (-9.14%)
Mutual labels:  security-tools
Intrec Pack
Intelligence and Reconnaissance Package/Bundle installer.
Stars: ✭ 177 (-4.84%)
Mutual labels:  security-tools
Shhmon
Neutering Sysmon via driver unload
Stars: ✭ 166 (-10.75%)
Mutual labels:  sysmon
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (-2.15%)
Mutual labels:  security-tools
Antidebugging
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
Stars: ✭ 161 (-13.44%)
Mutual labels:  malware-analysis
Androidlibrary
Android library to reveal or obfuscate strings and assets at runtime
Stars: ✭ 162 (-12.9%)
Mutual labels:  security-tools
Antidbg
A bunch of Windows anti-debugging tricks for x86 and x64.
Stars: ✭ 177 (-4.84%)
Mutual labels:  malware-analysis
Dnxfirewall
dnxfirewall (dad's next-gen firewall), a pure Python next generation firewall built on top of Linux kernel/netfilter.
Stars: ✭ 174 (-6.45%)
Mutual labels:  security-tools
Antiddos System
🛡️⚔️ Protect your web app from DDOS attack or the Dead Ping + CAPTCHA VERIFICATION in one line!
Stars: ✭ 173 (-6.99%)
Mutual labels:  security-tools
View All Similar Projects ➔

Attack Monitor

Attack Monitor is Python application written to enhance security monitoring capabilites of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.

Current modes (mutually exclusive):

  • Endpoint detection (ED)
  • Malware analysis (on dedicated Virtual Machine)

Based on events from:

  • Windows event logs
  • Sysmon
  • Watchdog (Filesystem monitoring Python library)
  • TShark (only malware analysis mode)

Current version

0.9.0 (Alpha)

Contact

[email protected]

Demo

demo/ed.gif

Supported OS

  • Windows 7, 8, 10 (x86 or x64)
  • Windows 2008, 2012, 2016 (x86 or x64)

Pre-requirements

  • Powershell 5
  • Sysmon (Downloaded, configured and installed by installer.py)
  • Python 3.6 (64-bit) - should work on Python 3.x
  • Tshark (Malware analysis only)
  • Various Python3 libraries (requirements.txt)
  • StoneEngine library (included, first time published, high level windows event log interface - Alpha state)

Supported system events

Some of the events are only supported in Malware Analysis Mode

  • Filesystem changes
  • Permitted network connections
  • PowerShell activity (detailed only with PowerShell 5)
  • Process creation
  • SMB activity
  • Scheduled tasks
  • Local accounts manipulations
  • Success/Failed logins
  • Drivers load
  • Raw disk access
  • Registry monitoring
  • Pipe events
  • Services
  • Audit log cleared
  • WMI monitoring of queries + WMI persistence
  • DNS requests capture (via Tshark)

Installation - Endpoint Detection Mode

For Malware analysis mode - refer to next section

STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
  => Choose endpoint detection mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
  => Choose endpoint detection mode
python installer.py exceptions
[Apply section] Installation - How to enable WMI audit?

Installation - Malware analysis Mode

For Endpoint detection mode - refer to previous section

STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
  => Choose malware analysis mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
  => Choose malware analysis mode
[Install tshark] https://www.wireshark.org/download.html // To default location
[Apply section] Installation - How to choose network interface for malware listening? // (currently only DNS)
[Apply section] Installation - How to enable WMI audit?
[Apply section] Installation - How to monitor specific directories?

Installation - How to enable WMI audit?

compmgmt.msc
Services and Applications -> WMI Control -> Properties
Security -> Security -> Advanced -> Auditing -> Add

Select principal: Everyone
Type: All
Show advanced permissions:
  Select all (Execute Methods ... Edit Security)

Why it's not in installer.py script? It's hard to do it programmatically

Installation - How to choose network interface for malware listening?

Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg

Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes

How to determine inteface name?

TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0

Installation - How to monitor specific directories?

Edit C:\Program Files\Attack Monitor\config\monitored_directories.json

For malware analysis it's recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.

How it works?

  1. Alert is coming from source (Windows Event Log, Sysmon, Filesystem change, TShark)

  2. Alert is checked against config\exceptions\exception.json which contains all alerts which should be ignored A) For Endpoint Detection - Predefined set of ignored alerts is delivered with software B) For Malware analysis - you need to add exceptions yourself on live system in clean state

  3. Alert is present in exception.json? Yes) Is discared [Go to step 1] No) Go to next step

  4. Is learning mode enabled? (Can be enabled in tray icon, or permanently in configuration file) Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)

    • If you decided to add exception for this alert - Alert is added to exceptions [Go to step 1]
    • If you decided to skip exception window - Go to next step

    No) Go to next step

  5. Alert user about capture event. Outputs:

    • System tray baloon notification (Only when you are moving mouse and computer isn't locked)
    • Alert is saved to logs\.txt

Known bugs

  • Exit isn't gracefull
  • Tray icon appears and disappears
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].